Users of cloud computing continue to be concerned with the protection of private information they store in the cloud. The revelations regarding widespread national security surveillance have increased scrutiny of the issue and its scope.
Cloud users need to trust that their data, which may be stored anywhere in the world, will not be used or disclosed by a cloud provider in unauthorized ways. Countries can provide these assurances with appropriate privacy laws. But it is a delicate balance: unnecessarily burdensome restrictions will hinder the important advantages of cloud computing that users want and need.
This section of the Scorecard examines how countries are managing these competing interests. Overall, the concern for privacy has produced many positive results around the globe, including significant law reform, greater oversight of national security agencies, a strengthening of security and encryption regimes by key cloud service providers and a greater public awareness of data privacy issues.
But in some nations, governments have proposed stronger restrictions on the cross-border transfer of data without further benefits. If those proposals become law, they could negatively impact cloud service providers.
Since 2013, most countries have data protection frameworks in place and have established independent privacy commissioners. Many of the protection laws are based on the Organisation for Economic Co-operation and Development Guidelines, the European Union Data Protection Directive and the Asia-Pacific Economic Cooperation Privacy Principles.
However, some countries still have registration requirements for data controllers and cross-border data transfers in place, and a small number of countries have adopted or proposed prescriptive data localization regimes that would require cloud providers to restrict the free flow of data or build costly — and unnecessary — servers in order to provide services in a specific market.
Canada and Korea have the highest score in the privacy section, offering comprehensive privacy regimes with no onerous registration requirements. Because Japan continues to update and reform its privacy laws, it also scores well in this section. South Africa received a big boost to its score and ranking for introducing a comprehensive privacy regime.
Unfortunately, privacy laws are still absent or insufficient in several countries. Brazil, Thailand and Turkey have no comprehensive laws in place, while laws in China, India, Indonesia and Vietnam remain very limited.
One notable development is the introduction of a new data protection framework in Russia containing prescriptive data localization requirements, such as a new law requiring that the personal data of Russian citizens be stored on servers based in Russia. This new regime is likely to act as a significant barrier to cloud service providers, and Russia’s score and ranking fell as a direct result.
Privacy laws in the European Union and the United States continue to be the subject of significant debate and reform. The EU is close to the final implementation of a new regulation. The proposed General Data Protection Regulation (GDPR) contains many positive elements, and it should drive improved harmonization of laws across Europe. But the proposed regulation presents some challenges and potential administrative burdens for cloud service providers, including its liability regime, extension of data processor burdens, and the potential for jurisdictional clashes on access to data by authorities.
(Editor’s note: Following the completion of the research underlying this year’s research, the United States and European Union have continued to move closer to finalizing a new agreement, the Privacy Shield, that will allow data to continue to be shared across borders. This is an important development that was not finalized in time to fully be considered for this report.)
In the United States, officials have not made significant progress on development of general privacy legislation, but work has increased on improving oversight of national security agencies and improving legal redress avenues for overseas data subjects.